An American security consultant who stole hundreds of thousands of online bank passwords by employing a massive botnet that he often administered from work deserves at least five years in prison, prosecutors have told a federal judge.
The request for a minimum 60-month sentence, followed by five years of supervised release, came …

Say WHAT?!?!?!1

This guy wants an easier sentence, for something he did that stole money and peoples identities, while committing a violation being on parole, passing along info to other thieves, all WHILE BEING A SECURITY CONSULTANT PAID TO FIND AND FIX SECURITY RELATED ISSUES, because he has a "substance abuse problem and was 'sexually' abused"??!!

Umm am I the only one who damn near burst a blood vessel in the head trying to figure out this one? What a fucking retard. Seriously if those were mitigating factors then shouldnt they have been talked about and handled the first time around with the law? Throw the book at him!

5 years?

Seriously, prosecution is asking for 5 years behind the bars for this (which may or may not be appropriate). But some nutters still want to deport McKinnon to the US. If this guy deserves 5 years (and he's going to get much less, presumably: this is the prosecution request), McKinnon should get a few 10s hrs of community service. Is it really worth an extradition?

Cut His Goolies Off

@O´Brian

@ Pierre

IIRC they want to put McKinnon on trial in a military court because he "hacked" military computers, so it will not be community service it'll be hard time in Levenworth or where ever it is they put spies and traitors these days. Just 'cause he showed up their crap security they think of him as a spy.

So Wrong

The article is so far off it's ridiculous. And you clowns commenting don't get that this wasn't "today's malware". This was a zombie net, and the damages were non-existant as they needed the combined bandwidth. Blame the lackeys for the stolen passes and such.

re: Say WHAT?!?!?!1

No, you're not the only one. I seriously want to know how the defense attorney could write and submit that without laughing. Who knows, maybe he was laughing at the time. I cannot for the life of me understand how "didn't steal MUCH money" can possibly be a mitigating factor. Everything he did screams "lock me up for life" to me, especially when he did it from work, employed as a security consultant. I'd love to know the defense's definition of "lasting damage", since the attacks against his victims (from him and those he passed the information onto) will have identity and financial consequences for years to come. Not to mention the immediate cost of cleaning his malware off of the system, a cost most people probably won't be able to afford right now.

And am I the only one who's sick of tired of people trying to blame everyone else for their actions? Substance abuse and sexual abuse do not dictate this sort of behavior. You committed a crime, you fucked up, you got caught. Deal with it. There's a reason we have laws. When we show people that criminals can do pretty much whatever they want and get away with it, we show them that it's acceptable behavior and that the laws are meaningless.

People like this, who knowingly, willingly, and intentionally cause damage to others, especially on a massive scale like this, need to be shown that their behavior is not acceptable. And other people need to be shown that this behavior is not acceptable. "Oh, but he didn't cause much lasting damage". That doesn't matter. He *INTENDED* to, as evidenced by his attitude and his passing of the information to others. We, as a global society, need to show that this behavior will not be tolerated, that it has serious consequences. He should be made to personally apologize to every person affected, and remove his malware from their system (supervised by a competent tech to make sure he does remove it without causing additional damage). He should be made to reimburse every affected person for however much this ultimate costs them, including the cost of lifetime credit monitoring (lifetime, not this meaningless "one year of monitoring" that banks and companies get away with). He should be made to give back a portion of his paycheck to his employer for he spent not doing his job. He should be made to personally apologize to his employer and pay them back for whatever this ultimate costs them (if any), including lost business resulting from this. Finally, he should be made to perform some laborious task (think prison chain gang) uncomfortable enough to discourage him from even thinking about doing this again.

5 years? FIVE YEARS?!?

FFS, if the stupid bastards don't have the decency to show this little fucker to the end of a rope then at least they could give him fifty years instead! Five years, he'll be out and doing it all over again. And pleading sexual abuse? I don't care if he was arse-ra[ disgusting and horrific child-abuse description censored due to UK decency laws ]nd a mining drill, it has nothing to do with his ruining thousands of peoples' lives. String the little bastard up, I say!

Bots? No. ID theft? yes

In my view, the 250,000 bot net is really not a big deal, if as he claims it did not cause any harm. I mean I certainly wouldn't start one up, but with these windows holes these days, it's not that hard to get a botnet that size. Also, he' s probably right that the bot did not harm the machines it's on. In addition, although ironic, doing it from work is a work issue more than a legal issue.

HOWEVER, the ID theft is a big deal. So he (through his lawyer) gets real weasely and says he "ultimately did not steal much money". Well, OK, he maybe didn't *steal* much money.. this doesn't say if he made tons of money reselling these illegally obtained account infos or not. This is super-greasy and he should get 5 years for this alone.

"Prison is a boys club. All that talk about abuse there is stupidly ill informed. The worst that will happen is he can't talk to women and go out for a pint with his mates."

This depends on the prison, and on if he behaves respectably or not. I know a few people who were inside.. one was in for 2 days presumably at a rougher prison and had to kick the crap out of someone on day one, they tried to "take it from him". The other was in longer (in a different prison) and said people had no problem as long as they treated each other with respect, the ones who were not respectful had problems. So I'm guessing he'll almost immediately try to defraud his fellow inmates, and then they'll abuse him plenty.

Going through the motions.

"2 days presumably at a rougher prison and had to kick the crap out of someone on day one, they tried to "take it from him".."

It takes longer than two days to get processed. You won't get to see anyone in that time. While they don't know who you are you get locked up 23/7. If he kicked the crap out of anyone he'd be in a lot longer than 2 days. Was in for telling fibs?

He could do that standing on his head. Take what from him? They wouldn't put a violent or an aggressive man in with someone till he'd been sorted.

"people had no problem as long as they treated each other with respect, the ones who were not respectful had problems."

"Quit bein' a bitch and claim it"

Abuse

Substance abuse may be some sort of excuse for rolling round the floor in your own excrement, or picking a fight with a stranger, but surely not for a careful, methodical, drawn-out demonstration of higher than average intellect.

I only think that I program better when I'm pissed, never tried it high and don't think I ever will.

This is why we use multiple cross checks on our staff

Seriously, there is no way I would consider using someone unless I have at least two independent OKs from sources I trust. Most of my guys have 3, and tend to appreciate why we audit. It's a pain, but we have to: plenty of criminals around - and idiots.

The ONLY barrier between discovering security issues and abuse thereof is an almost overdeveloped sense of ethics. Unless I can sense that being present you won't even go in for the trial period. There is not a single argument for using someone like that in security because he cannot assure the single most critical component for security work: trust.